Parliament: Store Critical Data in India

A Parliamentary panel recently urged the government's Department of Electronics and Information Technology to relocate all Internet servers for critical sectors in India for security reasons and to take stringent measures to safeguard indigenous servers.

The committee argued that though most websites and servers are hosted outside India due to cost advantages, business continuity and legal concerns, it is important now to locate critical sector servers within India to take appropriate security and legal measures in case of cyberattacks.

Security and cyber law leaders say that data related to critical sectors stored within foreign boundaries offers scope to agencies to mine them through hacking into other countries. But a new concern: When servers are located outside of India, indemnity in case of data loss is seldom prescribed in the agreements signed between nations.

Mumbai-based Prashant Mali, attorney and president of CyberLaw Consulting, says it's a misconception that data managed by professionals such as third-party providers is cost-effective and safe. "Most believe that since the data is away and beyond the reach of law enforcement agencies, it doesn't fall under the purview of Indian legislation," he says. "Rather, it increases the challenges of establishing data ownership."

Bangalore-based J. Prasanna, director and founder of Cyber Security and Privacy Foundation Pte. Ltd., says that because servers outside India are mostly handled by Internet service providers, these entities do not cooperate with Indian law enforcement agencies in investigating cyber crime, cyber terrorism and data misuse.

Security and Legal Challenges

The parliamentary standing committee is unhappy that India depends largely on imported electronics and a that majority of the websites are still hosted outside the nation. In a report, the committee says, "The government has adopted strategies to deal with the hassles and drafted an 'e-mail policy' and 'data storage policy' for the central and state governments. But keeping security in mind, it should take measures to locate servers for critical sectors within India, taking stringent measures to safeguard indigenous servers as most cyberattacks are in '.in' domain."

The committee says there's also a challenge regarding disposal of appeal by the Cyber Appellate Tribunal due to lack of a chairperson and manpower.

Bangalore-based Sriram S., CEO at iValue InfoSolutions, a managed security service provider, says: "It's critical to understand the laws of that geography to resolve issues regarding breaches or SLA failure, if data's located outside."

Sriram asserts that because most leading cloud service providers in the infrastructure area are based outside India, Indian customers prefer to work with the world's leading brands when it comes to public cloud to mitigate risks. So, most organizations have their data center outside India because the Indian volumes did not warrant a local data center. This has led to security concerns across all spheres, including protecting data against exfiltration, securing all entry points and complying with local legislation.

Mali points out that the key challenge in relocation is migration of a huge amount of data and risk of data loss. "In fact, the legal risk and penalties of data leakage or loss outweigh the cost advantage of servers outside India," Mali says.

Steps to Safeguard Servers

Security leaders say it's all about safeguarding Internet servers and causing less damage to data, given the complexity of international laws on data protection.

While the committee has recommended that DeitY work on server relocation, it has mandated that the department lay down provisions for certification for all imported electronics/IT/telecom, including security products, and have certification centres in each State/Union Territory, specifically, for example, at all airports, naval docks and international borders.

The panel strongly recommended the CAT deploy adequate manpower to dispose cases of data loss, as well as appoint a new chairperson, so as to be equipped to deal with future challenges.

Prasanna says he welcomes the panel's recommendations, but he's concerned that though most data centres are protected by top-notch firewall/IPS/network monitoring systems, there's a significant weakness in the all-important human capabilities.

"The government's understanding of black hat hackers, their mentality, their strategic, tactical and technical skills is limited; there's too much dependence on vendors and their technology - a big bottleneck in safeguarding servers," Prasanna says.

In response, the committee has recommended the government make efforts to increase the number of cybersecurity experts, auditors and those with IT skill as a top priority.

Mali strongly believes that in 2016, the government, instead of focusing on security tools and solutions, should focus on strategy and people. "To date, anti-virus is the first line of defense against malware, but history's shown these tools never detected any known malware; they only give a wrong sense of protection to organisations," he says. "It's time government organizations develop 'cybersecurity culture' in their own organizations to fight cybercrime."

"A budget must be allocated exclusively for faster detection to ensure lowest level of damage post-breach, since [breach] is inevitable," he adds. "Some malware remains undetected for months when the focus is mainly on prevention without detection/respond investments.

"I see most leading vendors and service providers building India datacentres based on continuous feedback over the years," Sriram says. "2016 will see new announcements from big organizations on setting up their critical servers in India."

However, Sriram cautions that bandwidth cost in India is high - a big challenge for hosting servers locally, since additional commercials must be built-in for upload and download charges, in addition to hosting/renting charges. "The government must bring down the cost in the same way that it brought down telecom voice/data cost and encourage hosting Internet servers in India," Sriram says.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;